CVE-2026-27369
Received Received - Intake
Deserialization Object Injection in BoldThemes Celeste

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27369
EUVD
EUVD-2026-9627
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
boldthemes celeste to 1.3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27369 is a PHP Object Injection vulnerability found in the WordPress Celeste Theme versions up to and including 1.3.6. It allows unauthenticated attackers to inject malicious PHP objects into the application by exploiting the deserialization of untrusted data. This can lead to severe security issues if the attacker can use a suitable Property Oriented Programming (POP) chain.

Impact Analysis

This vulnerability can have serious impacts including the possibility for attackers to execute arbitrary code, perform SQL injection, conduct path traversal attacks, cause denial of service, and other exploits. Since it requires no authentication, attackers can exploit it remotely, potentially compromising the entire website or server.

Compliance Impact

I don't know

Detection Guidance

There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.

Mitigation Strategies

Since no official patch is available for this vulnerability as of the publication date, immediate mitigation involves applying the mitigation rule issued by Patchstack to block attacks targeting this flaw.

Website owners should proactively implement this mitigation to protect their sites from exploitation.

Monitoring for updates and applying an official patch once released is also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart